HIPAA Privacy Rule Implementation Status

ReportRichard M. Campanelli, J.D.

Director, Office for Civil RightsBefore the

The Tenth National HIPAA SummitApril 8, 2005

2

Status of Complaints (Through March 31, 2005)

11,920 logged in nationally, 65% already closed

Most common closure reasons:– Non-jurisdictional (Not Covered Entity or

Violation alleged predated 4/14/2003)– Allegation not prohibited by the Privacy Rule– Matter was resolved through voluntary

compliance and technical assistance

3

Entities Most Complained Against (as of 3/31/2005)

Private Practices General Hospitals Pharmacies Outpatient Facilities Group Health Plans

4

Common Allegations (through March 31, 2005)

Impermissible Uses/Disclosures Inadequate safeguards Access to records denied or charged

excessive fees Failure to adhere to minimum necessary

procedures Failure to obtain a valid authorization

where one is required

5

Disclosing PHI in Litigation

Permitted uses/disclosures of PHI for litigation include, for example:– Required by law (e.g., court-ordered)– Payment (e.g., collection action)– With individual’s authorization– §164.512(e)—judicial and

administrative proceedings– For covered entity’s (CE) health

care operations

6

Disclosing PHI in Litigation

Whether litigation uses and disclosures fall under §164.512(e) or health care operations (hco) depends on whether the covered entity is a party to the proceeding- CE non-party: §164.512(e)- CE party: health care operations

7

Disclosing PHI in Litigation: CE as Non-Party

When CE is a non-party, it may disclose PHI for judicial or administrative proceedings if in response to:– Order of a court or administrative tribunal– Subpoena, discovery request, or other

lawful process, on satisfactory assurance of notice or qualified protective order

8

Satisfactory Assurances: Non-Party CE Disclosures

Documentation that notice was provided to the individual’s lawyer is sufficient

Copy of subpoena/other request may be sufficient if on its face it shows– Adequate notice was provided

• Sufficient detail to allow objections– Time for objections lapsed without

objection, or all objections resolved

9

Disclosing PHI in Litigation: CE as a Party

When CE is a party to the proceeding, it may use or disclose PHI for litigation as part of its health care operations

10

Disclosing PHI in Litigation

Minimum necessary applies– CE may reasonably rely on lawyer’s

minimum necessary representation when sharing information with lawyer who is workforce or business associate

– Lawyer, as workforce or business associate, must apply minimum necessary to its disclosures

11

Lawyers and Minimum Necessary

When lawyer discloses minimum necessary PHI, depending on context, it may mean something more than mere relevance, e.g.,– De-identification– Stripping direct identifiers– Removing certain health or treatment

information not pertinent to issue raised in litigation

12

Lawyer/BAs and their Agents

BA contract requires BA/lawyers to ensure that their agents or subcontractors protect privacy, just as the lawyer must. – Includes 3rd parties that further lawyer’s legal

services to CE, e.g., other legal counsel, jury consultants, file managers, investigators, litigation support personnel

– Does not include opposing counsel, fact witness, others not assisting lawyer in providing legal services to client

13

Using and Disclosing PHI to an Interpreter

When interpreter is

- Workforce member of CEor

- BA of CE

No authorization of the individual is required

14

Interpreter Identified by Individual

When interpreter is identified by individual as involved in care, CE may

- Ascertain that individual agrees or does not object to disclosure to interpreter

or- Exercising professional judgment, reasonably infer from the circumstances

that individual does not object to disclosure to interpreter

15

Application in Provider Setting

No employee, volunteer or contractor is available to competently interpret for an individual

- Provider identifies and contacts a telephone interpreter service

- Interpreter explains to patient that interpreter is available to assist

From context, provider may judge whether individual wants this assistance (§164.510(b))

Provider may then reasonably infer that individual does not object to disclosure of PHI to interpreter

16

Title VI of Civil Rights Act of 1964

Covered entities may also have obligations under Title VI of the Civil Rights Act of 1964 to take reasonable steps to provide meaningful access to LEP persons

Consult OCR’s guidance on Title VI obligations to LEP persons for important discussion of other considerations in providing language services